The remote code execution vulnerability can be exploited by an attacker with “author” account using a combination of two vulnerabilities—Path Traversal and Local File Inclusion—which resides in the WordPress core.

The requirement of an author account reduces the risk to some extent, but it could be still exploited by a rogue contributor or an attacker who manages to gain credentials.

Here’s How it Works

According to Simon Scannell, an attacker can take advantage of the image management system which stores metadata such as description, size, creator, and other information. A rogue or compromised account can modify entries associated with an image and set them to arbitrary values, leading to the vulnerability.

“The idea is to set _wp_attached_file to evil.jpg?shell.php, which would lead to an HTTP request being made to the following URL: https://targetserver.com/wp-content/uploads/evil.jpg?shell.php,” Scannell explains.

And, “it is still possible to plant the resulting image into any directory by using a payload such as evil.jpg?/../../evil.jpg.”

The vulnerability can be exploited to gain complete control over a WordPress blog with unpatched version. The code execution attack became non-exploitable in WordPress version 5.0.1 and 4.9.9 since they were patched for another vulnerability which prevented users from setting arbitrary Post Meta entries.

The flaw can be exploited if any installed 3rd-party plugin incorrectly handles post meta entries.